A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
2. The system of claim 1, wherein the first web service API request or the second web service API request is a hypertext transfer protocol (HTTP)-based request.
This invention relates to a system for managing web service API requests, specifically addressing the need for efficient and secure handling of API communications between different services. The system includes a first web service API request and a second web service API request, where at least one of these requests is an HTTP-based request. The system further includes a first web service configured to receive the first web service API request and a second web service configured to receive the second web service API request. Additionally, the system comprises a request processing module that processes the first and second web service API requests, ensuring proper routing and handling of the requests between the services. The system may also include a security module that authenticates and authorizes the API requests before they are processed, ensuring secure communication. The invention aims to improve the reliability and security of API-based interactions in distributed systems by standardizing request formats and enforcing security protocols. The use of HTTP-based requests allows for compatibility with widely adopted web protocols, facilitating integration with existing systems. The system may also include a response handling module that manages the responses generated by the web services, ensuring that the responses are properly formatted and delivered to the requesting entities. This invention is particularly useful in environments where multiple services need to communicate securely and efficiently over APIs.
3. The system of claim 2, wherein the HTTP-based request is a POST request.
4. The system of claim 1, wherein the first cryptographic key and the second cryptographic key are symmetric keys.
The invention relates to a cryptographic system designed to enhance secure communication by using symmetric cryptographic keys. The system addresses the problem of ensuring secure data transmission and storage by employing symmetric key cryptography, which provides efficient encryption and decryption using the same key for both processes. Symmetric keys are shared between authorized parties, allowing for fast and computationally efficient encryption while maintaining strong security. The system includes a key management module that generates, distributes, and manages the symmetric keys used for encrypting and decrypting data. The keys are stored securely and accessed only by authorized entities, ensuring that unauthorized parties cannot decrypt the protected data. The system also includes an encryption module that encrypts data using the symmetric keys and a decryption module that decrypts the data using the same keys. This approach ensures that data remains confidential during transmission and storage. The use of symmetric keys simplifies key management compared to asymmetric cryptography, as it requires only one key per communication session. The system is particularly useful in applications where performance and efficiency are critical, such as real-time communication, secure file storage, and encrypted database systems. By leveraging symmetric cryptography, the system provides a balance between security and computational efficiency, making it suitable for various secure communication and data protection scenarios.
6. The system of claim 5, wherein the third web service API request includes the second key version in an optional parameter.
8. The computer-implemented method of claim 7, wherein the first cryptographic key continues to be usable for the future decryption requests contingent upon the first key state indicating that the first cryptographic key is enabled.
11. The computer-implemented method of claim 7, wherein the second key version is greater in value than the first key version based at least in part on the second cryptographic key being associated with the key identifier after the first cryptographic key was associated with the key identifier.
12. The computer-implemented method of claim 7, wherein performing the key rotation comprises causing the second cryptographic key to be generated.
A system and method for cryptographic key management in secure data processing environments. The invention addresses the challenge of securely rotating cryptographic keys to maintain data confidentiality and integrity without disrupting ongoing operations. The method involves generating a second cryptographic key to replace an existing key, ensuring seamless transition while maintaining security. The key rotation process is automated and integrated into a broader cryptographic framework, allowing for periodic or event-triggered updates to cryptographic keys used for encrypting and decrypting data. The system ensures that the new key is generated according to predefined security policies, including key length, algorithm selection, and entropy requirements. The method also includes validating the new key before deployment to prevent weak or compromised keys from being used. This approach minimizes the risk of key exposure and enhances overall system security by regularly refreshing cryptographic keys. The invention is particularly useful in environments where long-term key usage poses security risks, such as cloud computing, financial transactions, and sensitive data storage. The automated key rotation process reduces manual intervention, lowering the risk of human error and improving operational efficiency.
13. The computer-implemented method of claim 12, wherein causing the second cryptographic key to be generated comprises using a hardware security module (HSM) to generate the second cryptographic key.
14. The computer-implemented method of claim 7, wherein the decryption requests are performed using the Advanced Encryption Standard.
15. The computer-implemented method of claim 14, wherein the Advanced Encryption Standard includes 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM).
18. The computer-implemented method of claim 16, wherein the first cryptographic key is unusable for the second set of cryptographic operations based at least in part on the second key version indicating that the second cryptographic key is newer than the first cryptographic key.
This invention relates to cryptographic key management systems, specifically addressing the challenge of ensuring cryptographic keys are used appropriately based on their versioning to prevent unauthorized or outdated operations. The method involves managing cryptographic keys in a system where keys are assigned version identifiers to track their validity and usage scope. When a cryptographic operation is requested, the system checks the version of the key being used against the version of another key involved in the operation. If the key being used is older than the other key, the system prevents the operation from proceeding, ensuring that only the most up-to-date keys are used for cryptographic functions. This prevents security vulnerabilities that could arise from using outdated keys, such as decryption or signing operations that might compromise data integrity or confidentiality. The system dynamically enforces key versioning rules to maintain secure cryptographic operations, particularly in environments where keys are frequently updated or rotated. The method ensures that cryptographic operations are only performed with keys that meet the required version criteria, enhancing overall system security.
19. The computer-implemented method of claim 16, wherein the cryptographic operation is for validation of a digital signature.
20. The computer-implemented method of claim 16, wherein the second cryptographic key is associated with the key identifier as part of a manual key rotation performed in response to a second web service API request by a user of a computing resource service provider.
This technical summary describes a method for managing cryptographic keys in a computing resource service provider environment. The method addresses the challenge of securely rotating cryptographic keys to maintain data security and compliance. A second cryptographic key is associated with a key identifier through a manual key rotation process. This process is triggered by a user's request via a web service API, ensuring controlled and auditable key updates. The system verifies the user's authorization before executing the rotation, preventing unauthorized access. The key identifier remains consistent, allowing seamless integration with existing systems while updating the underlying cryptographic material. This approach enhances security by enabling periodic key changes without disrupting service operations. The method supports compliance with security standards by providing a structured, user-initiated mechanism for key rotation. The system may also log the rotation event for auditing purposes, ensuring accountability. This solution is particularly useful in cloud computing environments where secure key management is critical for protecting sensitive data.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 6, 2020
October 11, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.